Source: Firewall rules logging: a closer look at our new network compliance and security tool from Google Cloud
As you migrate your workloads to the cloud, you need full visibility into accesses into your cloud workloads, to ensure that every established connection is authorized, and that every unwanted connection attempt is successfully blocked. As we announced last week, we are boosting Google Cloud Platform’s (GCP) network security audit and forensic capabilities with the introduction of firewall rule logging, allowing you to track every connection that has been allowed or denied in your VM instances, in near-real-time.
A part of our Network Telemetry offerings, firewall rules logging let you audit, verify, and analyze the effects of your firewall rules. In other words, you can validate that every connection established in your workload matches the conditions in your allow-access firewall rules; and similarly, that every connection matching a deny-access firewall rule is blocked.
Additionally, firewall logs shows allowed or denied connection records every five seconds, providing you with near real-time visibility into potential security risks.
Firewall logs captures coverage of all firewalls applied to every workload, including:
Allow and deny firewall rules
Ingress and egress connections
Connections from within a VPC and from the internet
The logs generated by this process produce records that include a variety of data points, including the connection’s 5-tuple, whether the disposition was ALLOWED or DENIED, and which rule that was applied at the time of the log. You can also natively export this data to Stackdriver Logging or BigQuery. Or, using Cloud Pub/Sub, you can export these logs to any number of real-time analytics or SIEM platforms.
Debug, audit and analyze your network security
The availability of firewall rules logging is useful for a wide variety of network security operations tasks:
Network security debugging – Firewall logs allows you to troubleshoot network connections, telling you in near real-time whether your 5-tuple connections were allowed or denied, by which firewall rule name and the exact conditions.
Network security forensics – Firewall logs allows you to investigate suspicious and unwanted network behavior, for example, large numbers of unauthorized connections from specific sources that are being blocked from access.
Network security auditing and compliance: Firewall logs also helps you ensure compliance, by logging every allowed connection and blocked unauthorized attempt at any given time. It also flags and logs VM instances trying to initiate unauthorised egress connections.
Real-time security analysis – With the Cloud Pub/Sub API, you can easily export your logs into any SIEM ecosystem that you may already be using.